<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.0.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"yoursite.com","root":"/","scheme":"Mist","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":true},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":true,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
  </script>

  <meta name="description" content="SSL&#x2F;TLS什么是 SSL&#x2F;TLS&amp;emsp;传输层安全性协议（英语：Transport Layer Security，缩写作 TLS），及其前身安全套接层（Secure Sockets Layer，缩写作 SSL）是一种安全协议，目的是为互联网通信提供安全及数据完整性保障。网景公司（Netscape）在 1994 年推出首版网页浏览器，网景导航者时，推出 HTTPS 协议，以 SSL 进行加密">
<meta property="og:type" content="article">
<meta property="og:title" content="Nginx上部署TLS1.3和Brotli">
<meta property="og:url" content="http://yoursite.com/2020/04/08/Nginx%E4%B8%8A%E9%83%A8%E7%BD%B2TLS1-3%E5%92%8CBrotli/index.html">
<meta property="og:site_name" content="FU">
<meta property="og:description" content="SSL&#x2F;TLS什么是 SSL&#x2F;TLS&amp;emsp;传输层安全性协议（英语：Transport Layer Security，缩写作 TLS），及其前身安全套接层（Secure Sockets Layer，缩写作 SSL）是一种安全协议，目的是为互联网通信提供安全及数据完整性保障。网景公司（Netscape）在 1994 年推出首版网页浏览器，网景导航者时，推出 HTTPS 协议，以 SSL 进行加密">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://oss.chenjunxin.com/picture/blogPicture/9f670eb_TLS1.2_Principle.webp">
<meta property="og:image" content="https://oss.chenjunxin.com/picture/blogPicture/9f670eb_TLS1.3_Principle.webp">
<meta property="og:image" content="https://oss.chenjunxin.com/picture/blogPicture/9f670eb_Myssl_Result.webp">
<meta property="og:image" content="https://oss.chenjunxin.com/picture/blogPicture/9f670eb_Ssllabs_Result.webp">
<meta property="og:image" content="https://oss.chenjunxin.com/picture/blogPicture/9f670eb_OCSP_Result.webp">
<meta property="og:image" content="https://oss.chenjunxin.com/picture/blogPicture/9f670eb_HTTP2_Result.webp">
<meta property="og:image" content="https://oss.chenjunxin.com/picture/blogPicture/9f670eb_Chrome_TLS1.3_Setting.webp">
<meta property="og:image" content="https://oss.chenjunxin.com/picture/blogPicture/9f670eb_TLS1.3_Result.webp">
<meta property="og:image" content="https://oss.chenjunxin.com/picture/blogPicture/9f670eb_HSTS_Result.webp">
<meta property="og:image" content="https://oss.chenjunxin.com/picture/blogPicture/9f670eb_Brotli_Result.webp">
<meta property="article:published_time" content="2020-04-08T09:25:32.000Z">
<meta property="article:modified_time" content="2020-08-02T11:49:36.757Z">
<meta property="article:author" content="fu">
<meta property="article:tag" content="Nginx">
<meta property="article:tag" content="TLS">
<meta property="article:tag" content="Brotil">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://oss.chenjunxin.com/picture/blogPicture/9f670eb_TLS1.2_Principle.webp">

<link rel="canonical" href="http://yoursite.com/2020/04/08/Nginx%E4%B8%8A%E9%83%A8%E7%BD%B2TLS1-3%E5%92%8CBrotli/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>Nginx上部署TLS1.3和Brotli | FU</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">FU</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
        <i class="fa fa-search fa-fw fa-lg"></i>
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="tags fa-fw"></i>标签</a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="th fa-fw"></i>分类</a>

  </li>
      <li class="menu-item menu-item-search">
        <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
        </a>
      </li>
  </ul>
</nav>



  <div class="search-pop-overlay">
    <div class="popup search-popup">
        <div class="search-header">
  <span class="search-icon">
    <i class="fa fa-search"></i>
  </span>
  <div class="search-input-container">
    <input autocomplete="off" autocapitalize="off"
           placeholder="搜索..." spellcheck="false"
           type="search" class="search-input">
  </div>
  <span class="popup-btn-close">
    <i class="fa fa-times-circle"></i>
  </span>
</div>
<div id="search-result">
  <div id="no-result">
    <i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>
  </div>
</div>

    </div>
  </div>

</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="http://yoursite.com/2020/04/08/Nginx%E4%B8%8A%E9%83%A8%E7%BD%B2TLS1-3%E5%92%8CBrotli/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="fu">
      <meta itemprop="description" content="">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="FU">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          Nginx上部署TLS1.3和Brotli
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2020-04-08 17:25:32" itemprop="dateCreated datePublished" datetime="2020-04-08T17:25:32+08:00">2020-04-08</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2020-08-02 19:49:36" itemprop="dateModified" datetime="2020-08-02T19:49:36+08:00">2020-08-02</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E6%8A%80%E6%9C%AF/" itemprop="url" rel="index"><span itemprop="name">技术</span></a>
                </span>
                  ，
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E6%8A%80%E6%9C%AF/Nginx/" itemprop="url" rel="index"><span itemprop="name">Nginx</span></a>
                </span>
            </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <h1 id="SSL-TLS"><a href="#SSL-TLS" class="headerlink" title="SSL/TLS"></a>SSL/TLS</h1><h2 id="什么是-SSL-TLS"><a href="#什么是-SSL-TLS" class="headerlink" title="什么是 SSL/TLS"></a>什么是 SSL/TLS</h2><p>&emsp;传输层安全性协议（英语：Transport Layer Security，缩写作 TLS），及其前身安全套接层（Secure Sockets Layer，缩写作 SSL）是一种安全协议，目的是为互联网通信提供安全及数据完整性保障。网景公司（Netscape）在 1994 年推出首版网页浏览器，网景导航者时，推出 HTTPS 协议，以 SSL 进行加密，这是 SSL 的起源。IETF 将 SSL 进行标准化，1999 年公布第一版 TLS 标准文件。随后又公布 RFC 5246 （2008 年 8 月）与 RFC 6176 （2011 年 3 月）。<br>&emsp;在浏览器、电子邮件、即时通信、VoIP、网络传真等应用程序中，广泛支持这个协议。主要的网站，如 Google、Facebook 等也以这个协议来创建安全连线，发送数据。当前已成为互联网上保密通信的工业标准。</p>
<a id="more"></a>

<h2 id="SSL-TLS-的版本"><a href="#SSL-TLS-的版本" class="headerlink" title="SSL/TLS 的版本"></a>SSL/TLS 的版本</h2><table>
<thead>
<tr>
<th align="center">协议</th>
<th align="center">发布时间</th>
<th align="center">状态</th>
</tr>
</thead>
<tbody><tr>
<td align="center">SSL 1.0</td>
<td align="center">未公布</td>
<td align="center">未公布</td>
</tr>
<tr>
<td align="center">SSL 2.0</td>
<td align="center">1995 年</td>
<td align="center">已于 2011 年弃用</td>
</tr>
<tr>
<td align="center">SSL 3.0</td>
<td align="center">1996 年</td>
<td align="center">已于 2015 年弃用</td>
</tr>
<tr>
<td align="center">TLS 1.0</td>
<td align="center">1999 年</td>
<td align="center">计划于 2020 年弃用</td>
</tr>
<tr>
<td align="center">TLS 1.1</td>
<td align="center">2006 年</td>
<td align="center">计划于 2020 年弃用</td>
</tr>
<tr>
<td align="center">TLS 1.2</td>
<td align="center">2008 年</td>
<td align="center"></td>
</tr>
<tr>
<td align="center">TLS 1.3</td>
<td align="center">2018 年</td>
<td align="center"></td>
</tr>
</tbody></table>
<h2 id="为什么要禁用-TLS1-0、TLS1-1"><a href="#为什么要禁用-TLS1-0、TLS1-1" class="headerlink" title="为什么要禁用 TLS1.0、TLS1.1"></a>为什么要禁用 TLS1.0、TLS1.1</h2><p>&emsp;SSL 由于以往发现的漏洞，已经被证实不安全。而 TLS1.0 与 SSL3.0 的区别实际上并不太多，并且 TLS1.0 可以通过某些方式被强制降级为 SSL3.0。<br>&emsp;由此，支付卡行业安全标准委员会（PCI SSC）强制取消了支付卡行业对 TLS 1.0 的支持，同时强烈建议取消对 TLS 1.1 的支持。<br>&emsp;苹果、谷歌、微软、Mozilla 也发表了声明，将于 2020 年初放弃对 TLS 1.1 和 TLS 1.0 的支持。其原因是这两个版本使用的是过时的算法和加密系统，经发现，这些算法和系统是十分脆弱的，比如 SHA-1 和 MD5。它们也缺乏像完美的前向保密性这样的现代特征，并且容易受到降级攻击的影响。</p>
<h2 id="TLS-1-3"><a href="#TLS-1-3" class="headerlink" title="TLS 1.3"></a>TLS 1.3</h2><p>在2018年8月份，IETF终于宣布TLS 1.3规范正式发布了，标准规范（Standards Track）定义在 <a target="_blank" rel="noopener" href="https://tools.ietf.org/html/rfc8446">rfc8446</a>。</p>
<p><img src="https://oss.chenjunxin.com/picture/blogPicture/9f670eb_TLS1.2_Principle.webp"></p>
<p><img src="https://oss.chenjunxin.com/picture/blogPicture/9f670eb_TLS1.3_Principle.webp"></p>
<h3 id="TLS-1-3-相较之前版本的优化内容有："><a href="#TLS-1-3-相较之前版本的优化内容有：" class="headerlink" title="TLS 1.3 相较之前版本的优化内容有："></a>TLS 1.3 相较之前版本的优化内容有：</h3><ul>
<li><strong>握手时间：</strong>同等情况下，TLSv1.3 比 TLSv1.2 少一个 RTT</li>
<li><strong>应用数据：</strong>在会话复用场景下，支持 0-RTT 发送应用数据</li>
<li><strong>握手消息：</strong>从 ServerHello 之后都是密文。</li>
<li><strong>会话复用机制：</strong>弃用了 Session ID 方式的会话复用，采用 PSK 机制的会话复用。</li>
</ul>
<p>总结一下就是在更安全的基础上还做到了更快，目前 TLS 1.3 的重要实现是 OpenSSL 1.1.1 开始支持了，在 Nginx 上的实现需要 Nginx 1.13+。</p>
<h1 id="Brotli"><a href="#Brotli" class="headerlink" title="Brotli"></a>Brotli</h1><p>&emsp;Brotli 是由 Google 于 2015 年 9 月推出的无损压缩算法，它通过用变种的 LZ77 算法，Huffman 编码和二阶文本建模进行数据压缩，是一种压缩比很高的压缩方法，现代网站大多用的压缩算法都是 GZIP，它也是非常有效的一种压缩算法，可以节省网站服务器和用户之间传输数据所需要花费的时间，但是这个 Brotli，据闻能比 gzip 做得更好，不仅能获得更高的压缩比率，而且对压缩/解压速度影响也比较小，可以去谷歌的 GitHub 了解一下<a target="_blank" rel="noopener" href="https://github.com/google/brotli">该项目</a></p>
<p>Brotli 具有如下特点:</p>
<ul>
<li>针对常见的 Web 资源内容，Brotli 的性能要比 GZIP 好 17-25%；</li>
<li>Brotli 压缩级别为 1 时，压缩速度是最快的，而且此时压缩率比 gzip 压缩等级为 9（最高）时还要高；</li>
<li>在处理不同 HTML 文档时，brotli 依然提供了非常高的压缩率; </li>
</ul>
<p>在兼容 GZIP 的同时，相较 GZIP:</p>
<ul>
<li>JavaScript 上缩小 14%</li>
<li>HTML上缩小 21%</li>
<li>CSS上缩小 17% </li>
</ul>
<p>&emsp;Brotli 的支持必须依赖 HTTPS，不过换句话说就是只有在 HTTPS 下才能实现 Brotli。Brotli压缩可以和GZIP和谐共存，而且Brotli压缩效率要高于GZIP，因此推荐给服务器编译配置Brotli压缩。当同时开启Brotli跟GZIP两种压缩算法时，Brotli压缩等级优先级高于GZIP，并不会造成冲突。</p>
<h1 id="安装"><a href="#安装" class="headerlink" title="安装"></a>安装</h1><h2 id="下载源码"><a href="#下载源码" class="headerlink" title="下载源码"></a>下载源码</h2><p>HTTP/2 要求 Nginx 1.9.5+，OpenSSL 1.0.2+<br>TLS 1.3 要求 Nginx 1.13+，OpenSSL 1.1.1及之后的版本+<br>Brotli 要求 HTTPS，并在 Nginx 中添加扩展支持<br>建议去官网随时关注最新版：<a target="_blank" rel="noopener" href="https://nginx.org/en/download.html">Nginx</a>，<a target="_blank" rel="noopener" href="https://www.openssl.org/source/">OpenSSL</a>，<a target="_blank" rel="noopener" href="https://github.com/google/ngx_brotli">ngx_brotil</a></p>
<p><strong>Nginx</strong></p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">$ <span class="built_in">cd</span> /opt</span><br><span class="line">$ wget -c https://nginx.org/download/nginx-1.18.0.tar.gz</span><br><span class="line">$ tar xzf nginx-1.18.0.tar.gz</span><br></pre></td></tr></table></figure>
<p><strong>OpenSSL</strong></p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># 可以先查看已安装OpenSSL版本</span></span><br><span class="line">$ openssl version -a</span><br><span class="line">OpenSSL 1.1.1d  10 Sep 2019</span><br><span class="line">built on: Sun Mar  8 08:45:14 2020 UTC</span><br><span class="line">platform: linux-x86_64</span><br><span class="line">options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) </span><br><span class="line">compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG</span><br><span class="line">OPENSSLDIR: <span class="string">&quot;/usr/local/openssl/ssl&quot;</span></span><br><span class="line">ENGINESDIR: <span class="string">&quot;/usr/local/openssl/lib/engines-1.1&quot;</span></span><br><span class="line">Seeding <span class="built_in">source</span>: os-specific</span><br><span class="line"></span><br><span class="line"><span class="comment"># 开始下载新版本</span></span><br><span class="line">$ <span class="built_in">cd</span> /opt</span><br><span class="line">$ wget https://www.openssl.org/<span class="built_in">source</span>/openssl-1.1.1g.tar.gz</span><br><span class="line">$ tar xzf openssl-1.1.1g.tar.gz</span><br></pre></td></tr></table></figure>
<p><strong>Brotli</strong></p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$ <span class="built_in">cd</span> /opt</span><br><span class="line">$ git <span class="built_in">clone</span> https://github.com/google/ngx_brotli.git</span><br><span class="line">$ <span class="built_in">cd</span> ngx_brotli</span><br><span class="line">$ git submodule update --init</span><br></pre></td></tr></table></figure>

<h2 id="编译以及安装"><a href="#编译以及安装" class="headerlink" title="编译以及安装"></a>编译以及安装</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ nginx -V</span><br></pre></td></tr></table></figure>
<p>先用使用以上命令查询出已有nginx有安装的模块以及配置的路径，之后再原有的基础上增加</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">--prefix&#x3D;&#x2F;usr&#x2F;local&#x2F;nginx \  ## 编译后安装的目录位置，可以替换成跟原来一样</span><br><span class="line">--with-openssl&#x3D;&#x2F;opt&#x2F;openssl-1.1.1f  \ ## 指定单独编译入 OpenSSL 的源码位置</span><br><span class="line">--with-openssl-opt&#x3D;enable-tls1_3 \ ## 开启 TLS 1.3 支持</span><br><span class="line">--with-http_v2_module \ ## 开启 HTTP&#x2F;2 </span><br><span class="line">--with-http_ssl_module \ ## 开启 HTTPS 支持</span><br><span class="line">--with-http_gzip_static_module \ ## 开启 GZIP 压缩</span><br><span class="line">--add-module&#x3D;&#x2F;opt&#x2F;ngx_brotli ## 编译入 ngx_BroTli 扩展</span><br></pre></td></tr></table></figure>
<p>综合两者，最后编译Nginx</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br></pre></td><td class="code"><pre><span class="line">$ <span class="built_in">cd</span> /opt/nginx-1.18.0</span><br><span class="line"></span><br><span class="line">$ ./configure \</span><br><span class="line">--prefix=/etc/nginx \</span><br><span class="line">--sbin-path=/usr/sbin/nginx \</span><br><span class="line">--modules-path=/usr/lib64/nginx/modules \</span><br><span class="line">--conf-path=/etc/nginx/nginx.conf \</span><br><span class="line">--error-log-path=/var/<span class="built_in">log</span>/nginx/error.log \</span><br><span class="line">--http-log-path=/var/<span class="built_in">log</span>/nginx/access.log \</span><br><span class="line">--pid-path=/var/run/nginx.pid \</span><br><span class="line">--lock-path=/var/run/nginx.lock \</span><br><span class="line">--http-client-body-temp-path=/var/cache/nginx/client_temp \</span><br><span class="line">--http-proxy-temp-path=/var/cache/nginx/proxy_temp \</span><br><span class="line">--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \</span><br><span class="line">--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \</span><br><span class="line">--http-scgi-temp-path=/var/cache/nginx/scgi_temp \</span><br><span class="line">--user=nginx \</span><br><span class="line">--group=nginx \</span><br><span class="line">--with-compat \</span><br><span class="line">--with-file-aio \</span><br><span class="line">--with-threads \</span><br><span class="line">--with-http_addition_module \</span><br><span class="line">--with-http_auth_request_module \</span><br><span class="line">--with-http_dav_module \</span><br><span class="line">--with-http_flv_module \</span><br><span class="line">--with-http_gunzip_module \</span><br><span class="line">--with-http_gzip_static_module \</span><br><span class="line">--with-http_mp4_module \</span><br><span class="line">--with-http_random_index_module \</span><br><span class="line">--with-http_realip_module \</span><br><span class="line">--with-http_secure_link_module \</span><br><span class="line">--with-http_slice_module \</span><br><span class="line">--with-http_ssl_module \</span><br><span class="line">--with-http_stub_status_module \</span><br><span class="line">--with-http_sub_module \</span><br><span class="line">--with-http_v2_module \</span><br><span class="line">--with-mail \</span><br><span class="line">--with-mail_ssl_module \</span><br><span class="line">--with-stream \</span><br><span class="line">--with-stream_realip_module \</span><br><span class="line">--with-stream_ssl_module \</span><br><span class="line">--with-stream_ssl_preread_module \</span><br><span class="line">--with-cc-opt=<span class="string">&#x27;-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC&#x27;</span> \</span><br><span class="line">--with-ld-opt=<span class="string">&#x27;-Wl,-z,relro -Wl,-z,now -pie&#x27;</span> \</span><br><span class="line">--with-openssl=/opt/openssl-1.1.1g \</span><br><span class="line">--with-openssl-opt=<span class="built_in">enable</span>-tls1_3 \</span><br><span class="line">--add-module=/opt/ngx_brotli</span><br><span class="line"></span><br><span class="line"><span class="comment"># 编译并安装</span></span><br><span class="line">$ make &amp;&amp; make install</span><br></pre></td></tr></table></figure>

<h1 id="Nginx配置"><a href="#Nginx配置" class="headerlink" title="Nginx配置"></a>Nginx配置</h1><p><strong>HTTP2</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">listen 443 ssl http2;</span><br></pre></td></tr></table></figure>
<p>只要在 server{} 下的lisen 443 ssl 后添加 http2 即可。而且从 1.15 开始，只要写了这一句话就不需要再写 ssl on 了。</p>
<p><strong>只开启TLS 1.2与TLS1.3</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ssl_protocols  TLSv1.2 TLSv1.3;</span><br></pre></td></tr></table></figure>
<p><strong>然后我们再修改对应的加密算法算法：</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;</span><br></pre></td></tr></table></figure>
<p>默认情况下 Nginx 因为安全原因，没有开启 TLS 1.3 0-RTT，可以通过添加 ssl_early_data on; 指令开启 0-RTT的支持。</p>
<p><strong>Brotli</strong><br>只需要在对应配置文件中，添加下面代码即可：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">brotli                     on;</span><br><span class="line">brotli_comp_level          6;</span><br><span class="line">brotli_min_length          1k;</span><br><span class="line">brotli_types               text&#x2F;plain text&#x2F;css text&#x2F;xml text&#x2F;javascript text&#x2F;x-component application&#x2F;json application&#x2F;javascript application&#x2F;x-javascript application&#x2F;xml application&#x2F;xhtml+xml application&#x2F;rss+xml application&#x2F;atom+xml application&#x2F;x-font-ttf application&#x2F;vnd.ms-fontobject image&#x2F;svg+xml image&#x2F;x-icon font&#x2F;opentype;</span><br></pre></td></tr></table></figure>
<p>下面放一个完整的<code>server&#123;&#125;</code>供大家参考：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br></pre></td><td class="code"><pre><span class="line">server &#123;</span><br><span class="line">        listen       443 ssl http2; # 开启 http&#x2F;2</span><br><span class="line">        server_name  chenjunxin.com;</span><br><span class="line"></span><br><span class="line">        #证书部分</span><br><span class="line">        ssl_certificate cert&#x2F;3475595_www.chenjunxin.com.pem;</span><br><span class="line">        ssl_certificate_key cert&#x2F;3475595_www.chenjunxin.com.key;</span><br><span class="line"></span><br><span class="line">        #TLS 握手优化</span><br><span class="line">        ssl_session_cache    shared:SSL:1m;</span><br><span class="line">        ssl_session_timeout  5m;</span><br><span class="line">        keepalive_timeout    75s;</span><br><span class="line">        keepalive_requests   100;</span><br><span class="line">     </span><br><span class="line">        #TLS 版本控制</span><br><span class="line">        ssl_protocols TLSv1.2 TLSv1.3; # Requires nginx &gt;&#x3D; 1.13.0 else use TLSv1.2</span><br><span class="line">        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;</span><br><span class="line">    </span><br><span class="line">        #服务端加密算法优先 </span><br><span class="line">        ssl_prefer_server_ciphers on;</span><br><span class="line">        </span><br><span class="line">        #开启1.3 0-RTT</span><br><span class="line">        ssl_early_data on;</span><br><span class="line">     </span><br><span class="line">         # GZip 和 Brotli</span><br><span class="line">        gzip            on;</span><br><span class="line">        gzip_comp_level 6;</span><br><span class="line">        gzip_min_length 1k;</span><br><span class="line">        gzip_types      text&#x2F;plain text&#x2F;css text&#x2F;xml text&#x2F;javascript text&#x2F;x-component application&#x2F;json application&#x2F;javascript application&#x2F;x-javascript application&#x2F;xml application&#x2F;xhtml+xml application&#x2F;rss+xml application&#x2F;atom+xml application&#x2F;x-font-ttf application&#x2F;vnd.ms-fontobject image&#x2F;svg+xml image&#x2F;x-icon font&#x2F;opentype;</span><br><span class="line">        brotli          on;</span><br><span class="line">        brotli_comp_level   6;</span><br><span class="line">        brotli_min_length   1k;</span><br><span class="line">        brotli_types    text&#x2F;plain text&#x2F;css text&#x2F;xml text&#x2F;javascript text&#x2F;x-component application&#x2F;json application&#x2F;javascript application&#x2F;x-javascript application&#x2F;xml application&#x2F;xhtml+xml application&#x2F;rss+xml application&#x2F;atom+xml application&#x2F;x-font-ttf application&#x2F;vnd.ms-fontobject image&#x2F;svg+xml image&#x2F;x-icon font&#x2F;opentype;</span><br><span class="line">    </span><br><span class="line">        ##OCSP Stapling开启,OCSP是用于在线查询证书吊销情况的服务，使用OCSP Stapling能将证书有效状态的信息缓存到服务器，提高TLS握手速度</span><br><span class="line">        ssl_stapling  on;   </span><br><span class="line">        #OCSP Stapling验证开启</span><br><span class="line">        ssl_stapling_verify on;</span><br><span class="line">        #用于查询OCSP服务器的DNS</span><br><span class="line">        resolver 8.8.8.8 114.114.114.114 valid&#x3D;300s;</span><br><span class="line">        #查询域名超时时间</span><br><span class="line">        resolver_timeout 5s;   </span><br><span class="line">    </span><br><span class="line">        #开启HSTS，并设置有效期为31536000秒，包括子域名(根据情况可删掉)：includeSubdomains，预加载到浏览器缓存(根据情况可删掉)</span><br><span class="line">        add_header  Strict-Transport-Security &quot;max-age&#x3D;31536000; includeSubDomains; preload&quot;;</span><br><span class="line"></span><br><span class="line">        location &#x2F; &#123;</span><br><span class="line">            root   html;</span><br><span class="line">            index  index.html index.htm;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br></pre></td></tr></table></figure>
<p>后面就可以用<code>nginx -t</code>检测配置是否正确，正确的话可以用<code>nginx -s reload</code>重载Nginx。</p>
<h1 id="验证"><a href="#验证" class="headerlink" title="验证"></a>验证</h1><p><a target="_blank" rel="noopener" href="https://myssl.com/chenjunxin.com?status=success">MySSL.com</a>检测A+，整体配置过关。<br><img src="https://oss.chenjunxin.com/picture/blogPicture/9f670eb_Myssl_Result.webp"></p>
<p><a target="_blank" rel="noopener" href="https://www.ssllabs.com/ssltest/analyze.html?d=chenjunxin.com">ssllabs.com</a>检测A+，整体配置过关。<br><img src="https://oss.chenjunxin.com/picture/blogPicture/9f670eb_Ssllabs_Result.webp"></p>
<h2 id="OSCP"><a href="#OSCP" class="headerlink" title="OSCP"></a>OSCP</h2><p>在Nginx配置中开启OSCP配置，可以在以上的<a target="_blank" rel="noopener" href="https://www.ssllabs.com/ssltest/analyze.html?d=chenjunxin.com">ssllabs.com</a>的检测信息中看到:<br><img src="https://oss.chenjunxin.com/picture/blogPicture/9f670eb_OCSP_Result.webp"></p>
<h2 id="HTTP-2"><a href="#HTTP-2" class="headerlink" title="HTTP/2"></a>HTTP/2</h2><p>通过浏览器的<strong>开发者工具</strong>，我们可以在<strong>Network</strong>栏目中看到<strong>Protocol</strong>中显示 <code>h2</code>有无来判断。<br><img src="https://oss.chenjunxin.com/picture/blogPicture/9f670eb_HTTP2_Result.webp"></p>
<h2 id="TLS-1-3-1"><a href="#TLS-1-3-1" class="headerlink" title="TLS 1.3"></a>TLS 1.3</h2><p>目前主流的浏览器都支持 TLS 1.3 版本：<br>Chrome 从 62 版本默认开启 TLS 1.3 的支持，如果是 62 以下的版本，可以进行下列的配置</p>
<ol>
<li>工具栏上打开 chrome://flags/</li>
<li>启用 TLS 1.3<br><img src="https://oss.chenjunxin.com/picture/blogPicture/9f670eb_Chrome_TLS1.3_Setting.webp"></li>
</ol>
<p>Firefox 从 47 版本默认开启 TLS 1.3 的支持，如果是 47 以下的版本，可以进行下列的配置。</p>
<ol>
<li>工具栏上打开 about:config</li>
<li>修改 security.tls.version.max 为 4</li>
<li>重新启动浏览器</li>
</ol>
<p>然后可以通过浏览器的<strong>开发者工具</strong>中的<strong>Security</strong>栏目看到<strong>Connection</strong>栏目下是否有显示 TLS 1.3<br><img src="https://oss.chenjunxin.com/picture/blogPicture/9f670eb_TLS1.3_Result.webp"></p>
<h2 id="HSTS"><a href="#HSTS" class="headerlink" title="HSTS"></a>HSTS</h2><p>Nginx配置中设置了HSTS，这使得服务器每次response都告诉浏览器所有请求都强制使用https，就算用户手动输入http 地址也会在浏览器内部替换为https 请求，在根源上杜绝浏览器与服务器建立非安全连接。<br><img src="https://oss.chenjunxin.com/picture/blogPicture/9f670eb_HSTS_Result.webp"></p>
<h2 id="Brotli-1"><a href="#Brotli-1" class="headerlink" title="Brotli"></a>Brotli</h2><p>通过浏览器的开发者工具，我们可以在 Network 栏目中，打开具体页面的头信息，看到 **accept-encoding **中有 br 字眼就行。<br><img src="https://oss.chenjunxin.com/picture/blogPicture/9f670eb_Brotli_Result.webp"></p>
<h1 id="参考链接"><a href="#参考链接" class="headerlink" title="参考链接"></a>参考链接</h1><ul>
<li><a target="_blank" rel="noopener" href="https://www.mf8.biz/nginx-install-tls1-3/">Nginx 上部署 TLS1.3、Brotli、ECC双证书实践</a></li>
<li><a target="_blank" rel="noopener" href="https://razeencheng.com/post/nginx-tls1.3-draft26">TLS1.3正式更新，为Nginx添加TLS1.3的支持</a></li>
<li><a target="_blank" rel="noopener" href="https://herbertgao.com/16/">Nginx禁用TLS1.0与1.1的尝试</a></li>
<li><a target="_blank" rel="noopener" href="https://www.jianshu.com/p/aa3f7c4d3a10">让Nginx快速支持TLS1.3协议</a></li>
<li><a target="_blank" rel="noopener" href="https://ngx.hk/2018/02/20/%E6%88%91%E5%8D%9A%E5%AE%A2%E7%9A%84nginx%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6%E8%AF%A6%E8%A7%A3.html">我博客的nginx配置文件详解</a></li>
<li><a target="_blank" rel="noopener" href="https://chziyue.com/post/37.html">使用 OCSP Stapling 来优化 SSL 的速度与隐私安全</a></li>
<li><a target="_blank" rel="noopener" href="https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html#toc_0">Strong SSL Security on nginx</a></li>
<li><a target="_blank" rel="noopener" href="https://www.cnblogs.com/xuegqcto/p/10681774.html">TLS / SSL密码强化的建议</a></li>
<li><a target="_blank" rel="noopener" href="https://hexuanzhang.com/1716447603.html">Nginx 配置双证书（RSA、ECC）</a></li>
</ul>

    </div>

    
    
    

      <footer class="post-footer">
          <div class="post-tags">
              <a href="/tags/Nginx/" rel="tag"># Nginx</a>
              <a href="/tags/TLS/" rel="tag"># TLS</a>
              <a href="/tags/Brotil/" rel="tag"># Brotil</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2020/03/21/%E4%BD%BF%E7%94%A8Google%E5%AE%98%E6%96%B9%E6%8E%A8%E8%8D%90%E7%9A%84webp%E8%BF%9B%E8%A1%8C%E5%9B%BE%E7%89%87%E5%8E%8B%E7%BC%A9/" rel="prev" title="使用Google官方推荐的webp进行图片压缩">
      <i class="fa fa-chevron-left"></i> 使用Google官方推荐的webp进行图片压缩
    </a></div>
      <div class="post-nav-item">
    <a href="/2020/08/08/hello-world/" rel="next" title="Hello World">
      Hello World <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#SSL-TLS"><span class="nav-text">SSL&#x2F;TLS</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E4%BB%80%E4%B9%88%E6%98%AF-SSL-TLS"><span class="nav-text">什么是 SSL&#x2F;TLS</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#SSL-TLS-%E7%9A%84%E7%89%88%E6%9C%AC"><span class="nav-text">SSL&#x2F;TLS 的版本</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E4%B8%BA%E4%BB%80%E4%B9%88%E8%A6%81%E7%A6%81%E7%94%A8-TLS1-0%E3%80%81TLS1-1"><span class="nav-text">为什么要禁用 TLS1.0、TLS1.1</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#TLS-1-3"><span class="nav-text">TLS 1.3</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#TLS-1-3-%E7%9B%B8%E8%BE%83%E4%B9%8B%E5%89%8D%E7%89%88%E6%9C%AC%E7%9A%84%E4%BC%98%E5%8C%96%E5%86%85%E5%AE%B9%E6%9C%89%EF%BC%9A"><span class="nav-text">TLS 1.3 相较之前版本的优化内容有：</span></a></li></ol></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#Brotli"><span class="nav-text">Brotli</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E5%AE%89%E8%A3%85"><span class="nav-text">安装</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E4%B8%8B%E8%BD%BD%E6%BA%90%E7%A0%81"><span class="nav-text">下载源码</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E7%BC%96%E8%AF%91%E4%BB%A5%E5%8F%8A%E5%AE%89%E8%A3%85"><span class="nav-text">编译以及安装</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#Nginx%E9%85%8D%E7%BD%AE"><span class="nav-text">Nginx配置</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E9%AA%8C%E8%AF%81"><span class="nav-text">验证</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#OSCP"><span class="nav-text">OSCP</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#HTTP-2"><span class="nav-text">HTTP&#x2F;2</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#TLS-1-3-1"><span class="nav-text">TLS 1.3</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#HSTS"><span class="nav-text">HSTS</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Brotli-1"><span class="nav-text">Brotli</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E5%8F%82%E8%80%83%E9%93%BE%E6%8E%A5"><span class="nav-text">参考链接</span></a></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
  <p class="site-author-name" itemprop="name">fu</p>
  <div class="site-description" itemprop="description"></div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives">
          <span class="site-state-item-count">9</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">9</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">15</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>
  <div class="links-of-author motion-element">
      <span class="links-of-author-item">
        <a href="https://github.com/yourname" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;yourname" rel="noopener" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
      </span>
      <span class="links-of-author-item">
        <a href="https://weibo.com/yourname" title="Weibo → https:&#x2F;&#x2F;weibo.com&#x2F;yourname" rel="noopener" target="_blank"><i class="fab fa-weibo fa-fw"></i>Weibo</a>
      </span>
  </div>



      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">fu</span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://mist.theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Mist</a> 强力驱动
  </div>

        








      </div>
    </footer>
  </div>

  
  <script src="/lib/anime.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/muse.js"></script>


<script src="/js/next-boot.js"></script>




  




  
<script src="/js/local-search.js"></script>













  

  

</body>
</html>
